DDoS protection with machine learning

Crossword Cybersecurity has been working on the problem of providing effective protection against Application-layer DDoS attacks by employing machine-learning techniques for around two years. This work is now incorporated into the Nixer product.

The problem of detecting Application-layer DDoS attacks (or layer 7 DDoS attacks) is that they are hard to distinguish from normal user behaviour. Attacks are deliberately kept relatively small when compared to Network layer attacks so as not to trip simple threshold methods. They work by tying up system resources for example by repeatedly starting sign-up or password reset processes. They are also rotated and changed often with new attack types emerging every day – making signature based approaches ineffective.

While Application layer attacks only make up between 10 and 15% of all DDoS attacks, they remain very hard to detect and defend against. Machine-learning has often been considered the most likely method to be able to reliably distinguish between good and bad traffic – which is indeed the experience of Crossword.

Crossword’s research was originally based on CTO Paul Lewis’s work looking at anomaly detection in large datasets. Paul’s background includes working at the UK Defence Academy and Cranfield University. This was extended into Layer 7 or Application Distributed Denial of Service attack detection when he joined crossword April 2015. A leading specialist in machine-learning was later added to the team.